Re: [RFC PATCH 2/3] Revert "android: binder: stop saving a pointer to the VMA"

From: Carlos Llamas
Date: Thu May 18 2023 - 13:03:47 EST

Next message: kernel test robot: "Re: [PATCH v2 2/4] kunit: executor_test: Use kunit_add_action()"
Previous message: Sasha Levin: "Re: [PATCH AUTOSEL 6.3 08/59] bpf, mips: Implement DADDI workarounds for JIT"
In reply to: Liam R. Howlett: "Re: [RFC PATCH 2/3] Revert "android: binder: stop saving a pointer to the VMA""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 18, 2023 at 10:40:52AM -0400, Liam R. Howlett wrote:
>
> I came across this [1] when I was looking into something else and
> thought I'd double back and make sure your fix for this UAF is also
> included, since your revert will restore this bug.
>
> I do still see the mmap_read_lock() in binder_update_page_range() vs the
> required mmap_write_lock(), at least in my branch.
>
> [1] https://lore.kernel.org/all/20221104175450.306810-1-cmllamas@xxxxxxxxxx/
>

Thanks Liam, I believe you are correct. The UAF should trigger on newer
releases after the revert of your patch. I'll try to reproduce the issue
to confirm and will send the fix afterwards. This was a nice find!

Thanks,
--
Carlos Llamas

Next message: kernel test robot: "Re: [PATCH v2 2/4] kunit: executor_test: Use kunit_add_action()"
Previous message: Sasha Levin: "Re: [PATCH AUTOSEL 6.3 08/59] bpf, mips: Implement DADDI workarounds for JIT"
In reply to: Liam R. Howlett: "Re: [RFC PATCH 2/3] Revert "android: binder: stop saving a pointer to the VMA""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]